-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HTTP] Internal routes cannot be used in href
tags on serverless
#163678
Comments
Pinging @elastic/kibana-core (Team:Core) |
One approach is for us to provide the same workaround as we do for communicating versions, but instead of requiring it to be explicitly enabled we will accept a request to an internal route if:
This way we can use internal, restricted HTTP APIs in download tags too. If we go this route, I think we should make these concepts first class citizens in the browser's fetch implementation by providing a way to set the query param via an option on the fetch interface. |
The |
elasticInternalOrigin
#163796
…m `elasticInternalOrigin` (#163796) ## Summary Closes #163678 * Raise the notion of "internal" into `CoreKibanaRequest`. This enables us to share this with lifecycle handlers and control validation of query params * Added new `isInternalRequest` alongside `isSystemRequest` and `isFakeRequest` * Slight simplification to existing internal restriction check * Some other chores and minor fixes ## Test * Start ES with `yarn es serverless` and Kibana with `yarn start --serverless --server.restrictInternalApis=true` * Add the service account token to `kibana.dev.yml`: `elasticsearch.serviceAccountToken: <SAT>` * Send a request to an internal endpoint like: `curl -XPOST -uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H 'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'` * Should give you a 400 result * message like `{"statusCode":400,"error":"Bad Request","message":"uri [http://localhost:5603/api/files/find] with method [post] exists but is not available with the current configuration"}` * Send the same request, but include the query param: `elasticInternalOrigin=true` * Should give you a 200 result --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…m `elasticInternalOrigin` (elastic#163796) ## Summary Closes elastic#163678 * Raise the notion of "internal" into `CoreKibanaRequest`. This enables us to share this with lifecycle handlers and control validation of query params * Added new `isInternalRequest` alongside `isSystemRequest` and `isFakeRequest` * Slight simplification to existing internal restriction check * Some other chores and minor fixes ## Test * Start ES with `yarn es serverless` and Kibana with `yarn start --serverless --server.restrictInternalApis=true` * Add the service account token to `kibana.dev.yml`: `elasticsearch.serviceAccountToken: <SAT>` * Send a request to an internal endpoint like: `curl -XPOST -uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H 'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'` * Should give you a 400 result * message like `{"statusCode":400,"error":"Bad Request","message":"uri [http://localhost:5603/api/files/find] with method [post] exists but is not available with the current configuration"}` * Send the same request, but include the query param: `elasticInternalOrigin=true` * Should give you a 200 result --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 23d3955)
…ry param `elasticInternalOrigin` (#163796) (#164278) # Backport This will backport the following commits from `main` to `8.10`: - [[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)](#163796) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jean-Louis Leysens","email":"jeanlouis.leysens@elastic.co"},"sourceCommit":{"committedDate":"2023-08-21T09:55:33Z","message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:http","Team:Core","release_note:skip","v8.10.0","v8.11.0"],"number":163796,"url":"https://github.com/elastic/kibana/pull/163796","mergeCommit":{"message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/163796","number":163796,"mergeCommit":{"message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jean-Louis Leysens <jeanlouis.leysens@elastic.co>
When a route is
access: internal
and we turn onserver.restrictInternalApis
(as we have for serverless) these routes require the presence ofx-elastic-internal-origin
to be usable. This renders the route unusable in hrefs where headers cannot be specified (affected are especially file downloads).This is similar to the issue we face when we make a route internal and versioned.
The text was updated successfully, but these errors were encountered: